问题
I have an issue using MySQL on PHP 5.6, and after three days of debugging PHP, OpenSSL, MySQLnd Drivers on PHP and trying out the mysql_client on an Ubuntu 14.04 machine, I have come to a conclusion: Google Cloud SQL SSL certificates will not work on PHP 5.6 and above.
For a start, the Google Cloud is a great service, and modern cryptography is enforced throughout the Google ecosystem. However, I couldn't use it because of one little problem: Google Cloud SQL SSL Server certificates have impossible common names.
Google Cloud SQL Server (or peer) certificates have a Common Name (CN) that looks something like:
CN=project-name:instance-id
To make matters worse, starting from PHP 5.6, all encrypted client streams will go through mandatory peer certificate validation. (Link: OpenSSL changes in PHP 5.6.x). I use the PHP Data Objects (PDO) extension, which uses the native driver MySQLnd to handle all the MySQL business. This uses the native PHP streams to handle those connections.
I have been looking through the MySQLnd source code on PHP (Link: MYSQLnd Driver Code on GitHub), MySQLnd configuration options to try and disable the SSL peer verification code on this particular MySQLND. To no avail.
Therefore, what should I do if I need to use SSL for MySQL connections on PHP 5.6?
Your response is greatly appreciated!
回答1:
Try connecting through the proxy if you have second generation sql, you might be able to connect pdo via the proxy with 127.0.0.1: https://cloud.google.com/sql/docs/compute-engine-access#gce-connect-proxy
回答2:
Assuming you can convince MySQL that the hostname is should verify is in fact project-name:instance-id
then I would have thought the hostname validation ought to succeed (though I agree that cert doesn't look great).
I tried the following from my Mac OS X workstation and it appeared to succeed, at least when using the mysql
binary (I didn't try via PHP).
First I added a hosts entry on my machine included the colon as part of the name:
1.2.3.4 project-name:instance-id
After doing so I was able to connect successfully with the mysql (5.6.32) installed on my machine:
mysql -uroot -h "project-name:instance-id" --password \
--ssl \
--ssl-ca ~/Downloads/server-ca.pem \
--ssl-cert ~/Downloads/client-cert.pem \
--ssl-key ~/Downloads/client-key.pem \
--ssl-verify-server-cert
(When I ran that same command with the IP address instead, I received ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
)
来源:https://stackoverflow.com/questions/29260464/google-cloud-sql-ssl-fails-peer-certificate-validation